Re: [SECURITY] [DSA 2895-1] prosody security update

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 2895-1] prosody security update
From: Tom Fernandes <anyaddress@gmx.net>
Date: Sun, 06 Apr 2014 02:14:11 +0200
Message-id: <[🔎] 53409C53.8040401@gmx.net>
In-reply-to: <7092796.SdaoAHDTzD@mybox>
References: <7092796.SdaoAHDTzD@mybox>

Hi,

What about the prosody version in squeeze. Is it unaffected? If so, it
may help to make it clear in the DSA.

Warm regards and thanks for the good work,


Tom

On 06/04/14 01:10, Luciano Bello wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

-
-------------------------------------------------------------------------

Debian Security Advisory DSA-2895-1                   security@debian.org

http://www.debian.org/security/                             Luciano
Bello April 06, 2014
http://www.debian.org/security/faq -
-------------------------------------------------------------------------

 Package        : prosody

A denial-of-service vulnerability has been reported in Prosody, a
XMPP server. If compression is enabled, an attacker might send
highly-com- pressed XML elements (attack known as "zip bomb") over
XMPP streams and consume all the resources of the server.

The SAX XML parser lua-expat is also affected by this issues.

For the stable distribution (wheezy), this problem has been fixed in
version 0.8.2-4+deb7u1 of prosody.

For the unstable distribution (sid), this problem has been fixed in
version 0.9.4-1 of prosody.

For the stable distribution (wheezy), this problem has been fixed in
version 1.2.0-5+deb7u1 of lua-expat.

For the unstable distribution (sid), this problem has been fixed in
version 1.3.0-1 lua-expat.

We recommend that you upgrade your prosody and lua-expat packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org -----BEGIN
PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJTQI03AAoJEG7C3vaP/jd0YFIQAIZPBm3OfgC09T8G5m1sP+ER
wcc/dV6Mm8Ldm3dXHpHRzAB5fds5LNPe2hmWsoa4QNkCLr0a2UHhnaf3wgHld1GU
6JGQBRGWA1IjS5fJotEVlOlLQZXxfNF9coajkAD0uUviUZYIt22XBmZRleHSrE4C
RZAVgFrjR2dZPDqDB9Cgnb6WAsPSn+zgPmMikdqC74RLIpl1+A7q5D4apbGUHCFa
kvID5E/V9SbfgVEN6F84XN5UbHprzGGF2RpNRGJUcNHcVGb/3CKWPNUg+BUDsbRL
IgwLLwClTue/+Wv0UDnIe3VyQr6h2c9+2diaj5n0DebAKE3cPpknTrrfacb9U1kS
J0NTrbEKH6XoggPTJPNRY1ut+kM4dVu0oYDV1nfGlGHBxmfM5GOMNKLBU+K79PFA
hNP/5shfjt8PmEG27n2UdDJiAjmVF6rWc2gdtyFQNArBZHlx0+KxBnLLYlx48r09
6W5YGhlTfVKeG07DOCCqxBHi84CL6GJ0BFn4/sE6SQS+7bOSD4VYa+3xzThp7PQr
q/7NWX1rHcRm3iScJUlapZB6Zg6DzwuBJ5QcpKdWFzmYOJfDwp/GQTp+ddrSmhdc
JLcNO4M9mUjFJQuitfuJTGV2j36eehaZrDZ+iBnDquI5p6yQGP2tbL3S3VXPAQuM
W0hdkefNVJrhJztQvvbj =SKLx -----END PGP SIGNATURE-----

Reply to:

Prev by Date: Re: debcheckroot v1.0 released
Next by Date: Re: debcheckroot v1.0 released
Previous by thread: Re: debcheckroot v1.0 released
Next by thread: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
Index(es):
- Date
- Thread